OpenVPN daemon ignores cluster IP

mzuc · April 28, 2020, 7:21pm

Hi there,
I’m having some troubles setting up OpenVPN (server mode) on top of an existing VyOS cluster.

I have 2 hosts (let’s say 10.0.0.1 and 10.0.0.2) that share a virtual ip (let’s say 10.0.0.100) using VyOS clustering features. Traffic from the internet is coming through that virtual ip.

The issue I’m experiencing is that whenever a client connects, the first UDP packet comes to the active cluster member on the virtual IP address, but it then replies with its own eth0 address. This way, the client never receives an answer and TLS negotiation fails.

I’ve been able to diagnose this behavior using tcpdump:

19:18:41.025890 IP (tos 0x0, ttl 50, id 27901, offset 0, flags [none], proto UDP (17), length 42)
    55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:41.026708 IP (tos 0x0, ttl 64, id 41449, offset 0, flags [DF], proto UDP (17), length 54)
    10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 26
19:18:42.120234 IP (tos 0x0, ttl 50, id 41636, offset 0, flags [none], proto UDP (17), length 42)
    55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:42.120420 IP (tos 0x0, ttl 64, id 41667, offset 0, flags [DF], proto UDP (17), length 50)
    10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22
19:18:43.161388 IP (tos 0x0, ttl 50, id 47711, offset 0, flags [none], proto UDP (17), length 42)
    55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:43.161522 IP (tos 0x0, ttl 64, id 41702, offset 0, flags [DF], proto UDP (17), length 54)
    10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 26
19:18:44.263282 IP (tos 0x0, ttl 50, id 45376, offset 0, flags [none], proto UDP (17), length 42)
    55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:44.263414 IP (tos 0x0, ttl 64, id 41725, offset 0, flags [DF], proto UDP (17), length 50)
    10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22
19:18:45.264311 IP (tos 0x0, ttl 50, id 62267, offset 0, flags [none], proto UDP (17), length 42)
    55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:45.264461 IP (tos 0x0, ttl 64, id 41768, offset 0, flags [DF], proto UDP (17), length 50)
    10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22

(I only replaced my client ip with 55.55.55.55).

My current OpenVPN interface config is as follows:

 openvpn vtun0 {
     description "OpenVPN TEST"
     local-port 1194
     mode server
     persistent-tunnel
     protocol udp
     server {
         name-server 10.0.0.30
         name-server 10.0.0.31
         push-route 10.0.0.0/16
         subnet 10.99.0.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/ca.crt
         cert-file /config/auth/server.crt
         crl-file /config/auth/crl.pem
         dh-file /config/auth/dh.pem
         key-file /config/auth/server.key
     }
 }

Am I missing something?
Thanks in advance!

mzuc · April 28, 2020, 8:39pm

The solution was super easy indeed: I missed local-host into vtun interface configuration.

mzuc · April 28, 2020, 9:00pm

I probably posted too soon

Setting local-host works on the master node, but as soon as I apply the same configuration to the slave, I get:

OpenVPN configuration error: No interface on system with specified local-host IP address 10.0.0.100."

Does that mean that there’s no real way to bring up OpenVPN server on a VyOS cluster?

sonicbx · April 29, 2020, 12:54am

delete interfaces openvpn vtun0 local-host
set interfaces openvpn vtun0 openvpn-option multihome

this should make it listen on 0.0.0.0 (all IPs)

mzuc · April 29, 2020, 8:51am

@sonicbx that way the main issue of the topic will show up again (that is, VyOS sending OpenVPN packets to clients from its own interface instead of from cluster ip), isn’t it?

mzuc · April 29, 2020, 11:49am

@sonicbx it worked, just tested and it behaves exactly the way I wished.
Thanks mate!

system · May 1, 2020, 11:49am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.